[Solved] GRE tunnel routing


Could someone help me, please? I'm having a problem with TP-Link C7 router with OpenWrt version 18.06.1.

I am trying to setup GRE tunnel and configure based on openWRT documentation. But when I try to ping tunnel remote Endpoint, ICMP packets don't reach to my Router's Wan interface. Remote Endpoint tunnel is established correctly as I can see ICMP packets coming from remote endpoint to my WAN interface. but again they are not getting forward to GRE interface.

Below is my config for Router 1:

root@OpenWrt:~# ip route show
default via dev eth0.2 proto static src dev gre4-mygre proto kernel scope link src dev br-lan proto kernel scope link src dev eth0.2 proto kernel scope link src

config interface 'mygre'
        option proto 'gre'
        option ipaddr ''
        option peeraddr ''
        option mtu 1500

config interface 'mygre_static'
        option proto 'static'
        option ifname '@mygre'
        option ipaddr ''
        option netmask ''

I don't see any packets from gre interface to wan interface. I am not getting what I am missing here.

Did you open the firewall on your wan for IP Protocol No. 47 (GRE)?

config rule
	option target 'ACCEPT'
	option src 'wan'
	option family 'ipv4'
	option proto '47'
	option name 'Allow-GRE'

No, I did not create any firewall rule. Below are iptables rules after creating GRE interface:

20:-A PREROUTING -i gre4-mygre -m comment --comment "!fw3" -j zone_wan_prerouting
24:-A POSTROUTING -o gre4-mygre -m comment --comment "!fw3" -j zone_wan_postrouting
40:-A FORWARD -o gre4-mygre -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
76:-A INPUT -i gre4-mygre -m comment --comment "!fw3" -j zone_wan_input
81:-A FORWARD -i gre4-mygre -m comment --comment "!fw3" -j zone_wan_forward
88:-A OUTPUT -o gre4-mygre -m comment --comment "!fw3" -j zone_wan_output
106:-A zone_wan_dest_ACCEPT -o gre4-mygre -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
107:-A zone_wan_dest_ACCEPT -o gre4-mygre -m comment --comment "!fw3" -j ACCEPT
109:-A zone_wan_dest_REJECT -o gre4-mygre -m comment --comment "!fw3" -j reject
124:-A zone_wan_src_REJECT -i gre4-mygre -m comment --comment "!fw3" -j reject

Now, I tried creating rule you mentioned but still traffic is not going through.
119:-A zone_wan_input -p gre -m comment --comment "!fw3: Allow-GRE" -j ACCEPT

I am new to openWRT and GRE so I am sure I am missing something basic here.


It doesn't appear you pasted the full line of each rule. I've never seen the output you posted.

I'm very lost at why you're attempting to give the GRE tunnel 2 IP addresses.

This is the output of "iptables-save | grep gre" and it contains full line of the putput.

Wan IP:
Remote Router IP:
GRE interface IP:
GRE Remote End IP:

Do I need to install kmod-nf-nathelper-extra on router?

Ok. So I got gre routing working after installing kmod-nf-nathelper-extra package. But again after reboot, this nf-nathelper does not get loaded and packets do not get forwarded. I added "net.netfilter.nf_conntrack_helper = 1" also in /etc/sysctl.conf and added /etc/sysctl.d/local.conf(created this file and added same entry) but same result after reboot.

Please help.

I got it working. There was a typo in /etc/sysctl.conf . After correcting, module loaded after reboot and GRE tunnel routing works fine.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.